{
	"id": "d7cfce35-0545-451e-85bb-61ed22ee951d",
	"created_at": "2026-04-06T01:32:40.359226Z",
	"updated_at": "2026-04-10T03:25:23.24352Z",
	"deleted_at": null,
	"sha1_hash": "9d02d367c2bcc77b0b5f1ce5ee3206e0de7dbbff",
	"title": "Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2395276,
	"plain_text": "Champing at the Cyberbit: Ethiopian Dissidents Targeted with\r\nNew Commercial Spyware\r\nBy System name: Hilton Gardent Inn-HANOPLocation: Hanoi\r\nArchived: 2026-04-06 00:20:05 UTC\r\nKey Findings\r\nThis report describes how Ethiopian dissidents in the U.S., U.K., and other countries were targeted with\r\nemails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins.\r\nTargets include a U.S.-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD\r\nstudent, and a lawyer. During the course of our investigation, one of the authors of this report was also\r\ntargeted.\r\nWe found a public logfile on the spyware’s command and control server and monitored this logfile\r\nover the course of more than a year. We saw the spyware’s operators connecting from Ethiopia, and\r\ninfected computers connecting from IP addresses in 20 countries, including IP addresses we traced to\r\nEritrean companies and government agencies.\r\nOur analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a\r\ncommercial spyware product with a novel exploit-free architecture. PSS is offered by Cyberbit — an\r\nIsrael-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed\r\nto intelligence and law enforcement agencies.\r\nWe conducted Internet scanning to find other servers associated with PSS and found several servers\r\nthat appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have\r\ntracked Cyberbit employees as they carried infected laptops around the world, apparently providing\r\ndemonstrations of PSS to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s\r\nFinancial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017\r\nin Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in\r\nFrance, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.\r\n1. Executive Summary\r\nThis report describes a campaign of targeted malware attacks apparently carried out by Ethiopia from 2016 until\r\nthe present. In the attacks we document, targets receive via email a link to a malicious website impersonating an\r\nonline video portal. When a target clicks on the link, they are invited to download and install an Adobe Flash\r\nupdate (containing spyware) before viewing the video. In some cases, targets are instead prompted to install a\r\nfictitious app called “Adobe PdfWriter” in order to view a PDF file. Our analysis traces the spyware to a\r\nheretofore unobserved player in the commercial spyware space: Israel’s Cyberbit, a wholly-owned subsidiary of\r\nElbit Systems. The spyware appears to be a product called PC Surveillance System (PSS), recently renamed PC\r\n360.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 1 of 33\n\nThe attacks we first identified were targeted at Oromo dissidents based outside of Ethiopia, including the Oromia\r\nMedia Network (OMN). Oromia is the largest regional ethnic state of Ethiopia by population and area, comprised\r\nmostly of the Oromo people.\r\nWe later discovered that the spyware’s command and control (C\u0026C) server has a public logfile that appears to\r\nshow both operator and victim activity, allowing us to gain insight into the identity of the operators and the\r\ntargets. Based on our analysis of the logfile, it appears that the spyware’s operators are inside Ethiopia, and that\r\nvictims also include various Eritrean companies and government agencies.\r\nWe scanned the Internet for similar C\u0026C servers and found what appear to be several servers used by Cyberbit.\r\nThe public logfiles on those servers seem to have tracked Cyberbit employees as they carried infected laptops\r\naround the world, apparently providing demonstrations of PSS to various potential clients. The logfiles appear to\r\nplace Cyberbit employees at IP addresses associated with the Royal Thai Army, Uzbekistan’s National Security\r\nService, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe\r\n2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos to clients we could\r\nnot identify in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 2 of 33\n\nThis report is the latest in a growing body of work that shows the wide abuse of nation-state spyware by\r\nauthoritarian leaders to covertly surveil and invisibly sabotage entities they deem political threats. After FinFisher,\r\nHacking Team, and NSO Group, Cyberbit is the fourth vendor of nation-state spyware whose tools we have seen\r\nabused, and the second based in Israel.  Cyberbit’s PSS is also not the first spyware that Ethiopia has abused\r\noutside of its borders: in 2015, we discovered that Ethiopia’s Information Network Security Agency (INSA) was\r\nusing Hacking Team’s RCS spyware to target US-based journalists at the Ethiopian Satellite Television Service\r\n(ESAT). Ethiopia has also previously targeted dissidents using FinFisher’s FinSpy spyware.\r\nCitizen Lab has published a companion post outlining some of the legal and regulatory issues raised by this\r\ninvestigation. We also sent letters to Cyberbit and Adobe concerning the misuse of their respective products.\r\nCyberbit responded on December 5, 2017, stating in part: “we appreciate your concern and query and we are\r\naddressing it subject to the legal and contractual confidentiality obligations Cyberbit Solutions is bound\r\nby.” Adobe responded on December 6, 2017, stating in part: “we have taken steps to swiftly address this issue,\r\nincluding but not limited to contacting Cyberbit and other relevant service providers.”\r\n2. Background\r\n2.1. Oromo Protests and Diaspora Media Outlets\r\nLargely peaceful protests erupted in the Ethiopian state of Oromia in November 2015, in response to a\r\ngovernment decision to pursue a development project involving the razing of a forest and football field. Protesters\r\ncoalesced around opposition to a larger plan, the Addis Ababa Master Plan, which they feared would displace\r\nsome of the 2 million Oromo residents living around Addis Ababa. The government labeled the protesters\r\nterrorists and responded with lethal force and arbitrary arrests. Over the next year, security forces killed over 1000\r\npeople, many of them from Oromia, during anti-government protests. This culminated in a state of emergency that\r\nwas called in October 2016 that lasted over 10 months.\r\nOromia Media Network (OMN) is a US-based media channel that describes itself as an “independent, nonpartisan\r\nand nonprofit news enterprise whose mission is to produce original and citizen-driven reporting on Oromia, the\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 3 of 33\n\nlargest and most populous state in Ethiopia.”  OMN broadcasts via satellite, and also has an Internet and social\r\nmedia presence. According to Human Rights Watch, OMN “played a key role in disseminating information\r\nthroughout Oromia during the protests.” The government has “reportedly jammed OMN 15 times since it began\r\noperations in 2014” and arrested individuals for providing information to OMN or displaying the channel in their\r\nbusinesses.\r\n2.2. Cyberbit and PSS\r\nCyberbitis an Israel-based cyber security company and a wholly-owned subsidiary of Israeli defense and\r\nhomeland security manufacturer and contractor Elbit Systems. Cyberbit was established in 2015in order to\r\n“consolidate Elbit Systems’ activities relating to the Cyber Intelligence and Cyber Security markets.”Cyberbit\r\nmerged with theNICE Cyber and Intelligence Divisionin 2015 after Elbit acquiredthat entity for approximately\r\n$158 million, with Cyberbit reportedlytaking on the division’s employees. Elbit had previously acquired C4\r\nSecurityin June 2011 for $10.9 million; C4 described itselfas “specializ[ing] in information warfare, SCADA and\r\nmilitary C\u0026C systems security.“ According to one employee’s LinkedIn page, C4 also developed a productcalled\r\n“PSS Surveillance System,” billed as a “solution[] for intelligence and law enforcement agencies.” Cyberbit\r\nmarketing materials1 refer to what appears to be the same system: “CYBERBIT PC Surveillance System (PSS).”\r\nPSS is also referencedon Elbit’s website as a solution “for collection from personal computers.” Elbit\r\nreportedlywill be reorganizing Cyberbit, effective as of 2018, to separate its defense and commercial businesses,\r\nwith Cyberbit continuing to operate the “C4i division and commercial cyber business.”Elbit’s major subsidiaries\r\nare located in Israel and the United States, and Elbit is listed on the NASDAQ and the Tel Aviv Stock Exchange.\r\nCyberbit is the second Israel-based nation-state spyware vendor we have identified and analyzed, the other being\r\nNSO Group. The two companies operate in the same market and have even been connected with the same clients.\r\nIn an extradition request for former Panamanian President Martinelli, Panama alleged that Martinelli had directed\r\nthe purchase of two spyware products: PSS and NSO Group’s Pegasus. Additionally, a leaked Hacking Team\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 4 of 33\n\nemail about NSO claims that: “NSO only has mobile agents … Apparently the pc part is handled by another\r\ncompany, PSS.”\r\nCyberbit describes PSS as “a comprehensive solution for monitoring and extracting information from remote\r\nPCs.” As is standard in the marketing materials for spyware companies, Cyberbit represents that their design\r\n“eliminat[es] the possibility that the operation will be traced back to the origin.”\r\nCyberbit says that PSS “helps LEAs and intelligence organizations to reduce crime, prevent terrorism and\r\nmaintain public safety by gaining access, monitoring, extracting and analyzing information from remote PCs.”\r\n Information that PSS can monitor and extract includes “VoIP calls, files, emails, audio recordings, keylogs and\r\nvirtually any information available on the target device.”\r\n3. Targeting of Jawar Mohammed\r\nJawar Mohammed is the Executive Director of the Oromia Media Network (OMN). He is also a prolific activist,\r\nwith more than 1.2 million followers on Facebook. October 2, 2016 was the annual Irreecha cultural festival, the\r\nmost important Oromo cultural festival. Millions of people each year gather at the festival site in Bishoftu, near\r\nAddis Ababa. In 2016, “scores of people” died at the festival “following a stampede triggered by security forces’\r\nuse of teargas and discharge of firearms in response to an increasingly restive crowd.” Jawar was active at the time\r\non social media in stoking the passions of Oromo on the ground, circulating both verified and unverified\r\ninformation. On October 4, 2016, while in Minneapolis, USA, Jawar received the email in Figure 5.  He\r\nforwarded the email to Citizen Lab for analysis.\r\nFrom: sbo radio \u003csbo.radio88[@]gmail.com\u003e\r\nDate: Tue, 4 Oct 2016 16:50:13 +0300\r\nSubject: Fw: Confidential video made publicWhat do you think of this video ? In case you don’t have the right\r\nversion of adobe flash and can’t watch the video, you can get the latest version of Adobe flash from Here\r\nhttp://getadobeplayer[.]com/flashplayer/download/index7371.html.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 5 of 33\n\n———- Forwarded message ———-\r\nFrom: sbo radio \u003csbo.radio88[@]gmail.com\u003e\r\nDate: Tue, Oct 10, 2014 at 4:23 PM\r\nSubject: Video hints Eritrea and Ethiopia war is highly likely to continueDear Excellencies,Video : Eritrea and\r\nEthiopia war likely to continue\r\nhttp://www.eastafro[.]net/eritrea-ethiopia-border-clash-video.htmlregards,Sbo Radio\r\nMit freundlichen Grüßen\r\nFigure 5\r\nAn email sent to Jawar on October 4, 2016. The sender most likely crafted the email to make it appear that this\r\nwas a forwarded message.\r\nThe site eastafro[.]net appears to impersonate the (legitimate) Eritrean video website eastafro.com. When a target\r\nclicks on an operator-generated link to eastafro[.]net, JavaScript on the site checks to see whether the target is\r\nusing Windows and whether their Adobe Flash Player is up to date. If the script detects a Windows user with an\r\nout-of-date Flash Player, it displays a message asking the user to update their Flash Player. If clicked, or after 15\r\nseconds, the user is redirected to a page on getadobeplayer[.]com, which offers the user a real Flash Player\r\nupdate bundled with spyware.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 6 of 33\n\nIf the user downloads and installs the malicious Flash update, their computer is infected. It is clear that this is a\r\ntargeted attack: if a user simply types in eastafro[.]net into their browser’s address bar, they are redirected to the\r\nlegitimate site, eastafro.com. If a user does the same with getadobeplayer[.]com, they are served a “403\r\nForbidden” message. Both sites have robots.txt files instructing search engines not to crawl them. Access to the\r\nspyware is granted only if the user clicks on a link sent by the operator.\r\nIn all, Jawar received eleven emails between 5/30/2016 and 10/13/2016, and one more than a year later on\r\n11/22/2017. Each email contained links to what were purportedly videos on eastafro[.]net, or Adobe Flash Player\r\nupdates on getadobeplayer[.]com. The 11/22/2017 email contained a link to eastafro[.]net that asked the target to\r\ninstall “Adobe’s PdfWriter,” a fictitious product. The download contained the same spyware as the malicious\r\nAdobe Flash Player updates, but was packaged with CutePDF Writer, “a proprietary Portable Document Format\r\nconverter and editor for Microsoft Windows developed by Acro Software,” with no connection to Adobe.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 7 of 33\n\nIn many cases, the operators appear to have registered their own accounts to send the infection attempts. However,\r\nthe email address sbo.radio88[@]gmail.com used by operators to target Jawar is associated with the radio station\r\nof the Oromo Liberation Front (OLF). The account may have been compromised.\r\nDate Subject Sender\r\n5/30/2016 Ethiopia Struggling with inside Challenges! eliassamare[@]gmail.com\r\n6/15/2016 Tsorona Conflict Video! eliassamare[@]gmail.com\r\n6/29/2016 UN Report and Diaspora Reaction! eliassamare[@]gmail.com\r\n8/4/2016 Ethiopia and Current Options! eliassamare[@]gmail.com\r\n8/15/2016 Fwd: Triggering Ethiopia Protests! eliassamare[@]gmail.com\r\n9/5/2016 Saudi-Iran and the Red Sea! eliassamare[@]gmail.com\r\n9/6/2016 Congrats – የኢሳት ፍሬዎች wadewadejoe[@]gmail.com\r\n9/22/2016 Is Funding Ethiopia the Right time Now? eliassamare[@]gmail.com\r\n10/4/2016 Fw: Confidential video made public sbo.radio88[@]gmail.com\r\n10/10/2016 Egypt-Ethiopia new tension! awetnaeyu[@]gmail.com\r\n10/13/2016 Confidential Videos made public wadewadejoe[@]gmail.com\r\n11/22/2017\r\nGov official interrogated following leakage of\r\nnational security meeting minutes\r\nlekanuguse2014[@]gmail.com\r\nTable 1\r\nMalicious emails received by Jawar.\r\nThe Ethiopian Government charged Jawar with terrorism in February 2017 under the criminal code; Jawar and\r\nOMN denied all charges.\r\n4. Investigation to Find Additional Targets\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 8 of 33\n\nWe set out to find additional targets. We conducted targeting testing of members of the Oromo community using\r\nHimaya, our email scanning tool, to determine whether they had received any similar malicious messages. We also\r\nfound a public logfile on the spyware’s C\u0026C server (Section 5.2); the logfile listed IP addresses of infected\r\ndevices and we were able to identify additional victims based on their IP.\r\n4.1. Other Targets\r\nEtana Habte is a PhD candidate and senior teaching fellow at SOAS, University of London. He is a frequent\r\ncommentator on Ethiopian issues and appears regularly on OMN.\r\nDate Subject Sender\r\n12/9/2016\r\nLet’s stop EU \u0026 the World Bank\r\nfrom funding $500 m to Ethiopia\r\nshigut.gelleta[@]gmail.com\r\n1/11/2017\r\nFwd: MONOSANTO (A\r\nmultinational company)’s plan on\r\nOromia\r\nnetworkoromostudies2015[@]gmail.com\r\nTable 2\r\nMalicious emails received by Etana.\r\nThe address shigut.gelleta@gmail.com appears to be an account created by attackers designed to impersonate\r\nShigut Geleta, a member of the OLF.\r\nDr. Henok Gabisa is a visiting academic fellow who teaches at Washington and Lee University School of Law and\r\nis the founder of the Association of Oromo Public Defenders (Public Interest Lawyers Association) in Oromia.\r\nDate Subject Sender\r\n3/6/2017\r\nWhy did MONOSANTO target the\r\nOromiya region?\r\nnetworkoromostudies2015[@]gmail.com\r\n3/13/2017\r\nDemocracy in Ethiopia: Can it be\r\nsaved?\r\nnetworkoromostudies2015[@]gmail.com\r\nTable 3\r\nMalicious emails received by Henok.\r\nBill Marczak is a researcher at Citizen Lab and an author of this report. Marczak was targeted after he asked\r\nanother target to forward an email sent by operators. At the time, the target’s email account was compromised (the\r\ntarget had been previously infected with this spyware).  On March 29, 2017, while in San Francisco, USA,\r\nMarczak received a message entitled “Martin Plaut and Ethiopia’s politics of famine,” from\r\nnetworkoromostudies2015[@]gmail.com. The email contained a link to eastafro[.]net.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 9 of 33\n\nOther Targets: Several malicious emails we found were sent to multiple receipients, according to their headers.\r\n We found 39 additional email addresses of targets using this method; at least 12 addresses appear to be linked to\r\ntargets active on Oromo issues, or working for Oromo groups.\r\n4.2. Logfile Analysis\r\nPeculiarly, we found a public logfile on the spyware’s C\u0026C server; the logfile recorded activity that allowed us to\r\ngeolocate (or in some cases, identify) victims. We analyzed more than a year of logs showing victim (and\r\noperator) activity. Each logfile entry contains a unique identifier (a GUID) associated with the infection, a value\r\nindicating whether the entry records victim or operator activity, the IP address that the infected device (or\r\noperator) connected to the C\u0026C server from, and finally a timestamp showing when the communication took\r\nplace (for more details on the logfile, see Section 4.3). The format of the logfile allowed us to track infections as\r\nthey moved between different IP addresses, such as when an infected target carried their laptop between home and\r\nwork, or while traveling.\r\nDuring more than a year of monitoring the server’s logfiles, we observed 67 different GUIDs.  All infections were\r\noperated by the same operator, who only ever used one IP address, which belongs to a satellite connection (except\r\nfor a three hour period on a single day when the operator’s activity “failed over” to two other IP addresses, one\r\naddress in Ethiopia and one VPN, perhaps due to transient satellite connection failure). We identified 11 of the 67\r\nGUIDs as likely resulting from testing by the operator, or execution by researchers, based on their apparent short\r\nduration. Further, we noted that some GUIDs likely referenced the same infected device, as they represented\r\nconsecutive, non-overlapping infections whose IP addresses corresponded with the same Internet Service Provider\r\n(ISP). This was the case for two GUIDs in the UK, two in South Sudan, and 12 in Uganda.\r\nWe arrived at 43 GUIDs that we believe represent distinct infected devices. We then sought to geolocate each\r\ninfection to a country. We first ran the MaxMind GeoLite 2 Country database on each IP and associated a set of\r\ncountries with each infection. For each infection that had only one country associated with it, we examined a\r\nsmall number of IP addresses from the infection, to see whether those IPs looked like they were actually in that\r\ncountry, or whether geolocation may have been incorrect due to the IP being associated with a VPN or satellite\r\nconnection.\r\nFor infections that MaxMind associated with multiple countries, we determined the dominant country, based on\r\nthe country with the largest number of logfile entries for that infection. For the dominant country, we checked a\r\nsmall number of IP addresses to make sure the geolocation was correct. For the other countries, we checked each\r\nIP in an attempt to eliminate incorrect geolocation. We noted four infections that predominantly connected from\r\nsatellite connections, which MaxMind geolocated to UK or UAE; we changed the geolocation of these devices to\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 10 of 33\n\nEritrea, as the infections either “failed over” to IPs registered to EriTel, or shared the same satellite IP address as\r\nother infections that “failed over” to EriTel IPs.\r\nCountry # Infected Devices\r\nEritrea 7\r\nCanada 6\r\nGermany 6\r\nAustralia 4\r\nUSA 4\r\nSouth Africa 2\r\nTable 4\r\nNumber of infections we geolocated to each country, for countries where we geolocated more than\r\none infection.\r\nOther countries in which we saw only a single infected device were: Belgium, Egypt, Ethiopia, UK, India, Italy,\r\nJapan, Kenya, Norway, Qatar, Rwanda, South Sudan, Uganda, and Yemen.\r\nAfter we eliminated VPN IPs, and geolocated the four infections that predominantly connected from satellite\r\nconnections, we found that 40 of 43 infections only ever communicated from a single country. The remaining\r\nthree devices appear to have travelled between several countries. The three infections that traveled internationally\r\nare as follows:\r\nA device that twice travelled from Eritrea (via Germany) to the United Nations in Geneva.  We geolocated\r\nthis device to Eritrea.\r\nA device that predominantly connected from the University of Tsukuba in Japan that travelled to Eritrea.\r\nWe geolocated this device to Japan.\r\nA device that predominantly connected from York University in Canada that travelled to Eritrea. We\r\ngeolocated this device to Canada.\r\nWe were able to trace six of the infections (five in Eritrea, one abroad) to Eritrean government agencies or\r\ncompanies, suggesting that operators are likely targeting members of the Eritrean government in addition to\r\nEthiopian dissidents.\r\n4.3. Other Attacker Sites\r\nDuring our analysis, we identified two other websites sharing the same IP address as getadobeplayer[.]com, which\r\nalso appear to have been used by the same attackers to target victims with the same spyware: diretube.co[.]uk\r\n(impersonating diretube[.]com, an Ethiopian video site), and meskereme[.]net (impersonating meskerem[.]net,\r\nan Eritrean opposition website).\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 11 of 33\n\nThe diretube.co[.]uk site used the same Adobe Flash update ploy to direct users to malware on\r\ngetadobeplayer[.]com, whereas the meskereme[.]net site displays a message saying “Problem reading Tigrinya?\r\nInstall these fonts,” with links to the fonts bundled with spyware.  The legitimate website, meskerem[.]net\r\ndisplays the same message, but links to fonts without the spyware.\r\n5. Attribution to Cyberbit and Ethiopia\r\nThis section describes how we attributed the spyware to Cyberbit and Ethiopia.\r\n5.1. Digital Signature Points to Cyberbit\r\nBy monitoring getadobeplayer[.]com, we found and analyzed five samples of the spyware as it was updated over\r\ntime.\r\nMD5 Name\r\n568d8c43815fa9608974071c49d68232 flashplayer20_a_install.exe\r\n80b7121c4ecac1c321ca2e3f507104c2 flashplayer21_xa_install.exe\r\n8d6ce1a256acf608d82db6539bf73ae7 flashplayer22_xa_install.exe\r\n840c4299f9cd5d4df46ee708c2c8247c flashplayer23_xa_install.exe\r\n961730964fd76c93603fb8f0d445c6f2 flashplayer24_xa_install.exe\r\nTable 5\r\nThe samples from getadobeplayer[.]com that we analyzed.\r\nEach sample communicates with two command and control (C\u0026C) servers: time-local[.]com and time-local[.]net.\r\nWe found a structurally similar sample (see Section 7 for details on structural similarities) in VirusTotal:\r\nMD5: 376f28fb0aa650d6220a9d722cdb108d\r\nSHA1: c7b4b97369a2ca77e916d5175d162dc2b823763b\r\nSHA256: c76d2a8c1c8865b1aa6512e13b77cbc7446022b7be3378f7233c5ca4a5e58116\r\nThat sample communicated with a C\u0026C server at the following URL: pssts1.nozonenet[.]com/ts8/ts8.php (note\r\nthe use of “PSS” in the URL). The sample also drops an EXE file containing a digital signature (valid as of the\r\ndate submitted to VirusTotal) produced by a certificate with the following details:\r\nCN = C4 Security\r\nO = C4 Security\r\nSTREET = 13 Noach Mozes St\r\nL = Tel aviv\r\nS = Gush Dan\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 12 of 33\n\nPostalCode = 67442\r\nC = IL\r\nRFC822 Name=tal.barash@c4-security.com\r\nNote that c4-security.com was the official website of C4 security, according to a brochure posted on the website\r\nof the Israeli Export Institute.\r\n5.2. Public Logfile Analysis Points to Ethiopia and Cyberbit\r\nWhile monitoring additional PSS C\u0026C servers that we discovered during scanning (Section 6.1), we found that\r\none of these servers temporarily exposed a directory listing in response to a normal GET / HTTP/1.1request\r\n(Figure 9). The directory listing contained the text: “Apache/2.4.7 (Ubuntu) Server at cyberbitc[.]com Port 80,”\r\nindicating that the server was associated with Cyberbit. The website cyberbitc[.]comis owned byCyberbit and\r\nwas used by Cyberbit before they acquired cyberbit[.]com in March 2017.2\r\nThis directory listing also revealed the existence of several files, including a file called rec.dat, which at first\r\nglance we noticed was encoded in binary format. We suspected that rec.dat might be a logfile, as it appeared to be\r\nconstantly updated on the C\u0026C servers. We noticed that rec.dat existed on all of the C\u0026C servers we detected in\r\nour scanning and were able to test (Section 6.1), including on time-local[.]com and time-local[.]net, the C\u0026C\r\nservers associated with the spyware samples sent to Oromo targets.\r\n5.2.1. Logfile Analysis Shows Ethiopian Operator\r\nTo verify our logfile hypothesis, we performed a test infection of a virtual machine using one of the samples sent\r\nto Oromo targets and we allowed the virtual machine to communicate with the C\u0026C server. The traffic comprised\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 13 of 33\n\nHTTP POST requests (Section 7.7), each of which contained an agentid, a GUID initially {00000000-0000-0000-\r\n0000-000000000000} and later nonzero.\r\nAfter the infection, we downloaded rec.dat and found that it contained a series of records, several with our IP\r\naddress, and our agentid GUID, in binary form. Each record of the logfile is delimited by the string x41x41x41\r\n(‘AAA’) and can be parsed with the following regular expression:\r\n'(.{4})x00x00(.)(.{4})(.{16})AAA'\r\nThe first group of four bytes is a UNIX timestamp, the second group of 1 byte is a type value (which, in our\r\ntesting was always 2, 17, 21, 33, or 37), the third group of 4 bytes is an IP address, and the fourth group of 16\r\nbytes is a GUID. The file appears to be a circular (i.e., size-capped) logfile stored in binary format whose\r\nmaximum size is defined in config.ini to be 10MB. Old entries are removed from the front of the file as new\r\nentries are written to the end.\r\nPeculiarly, we noticed additional entries in rec.dat with our GUID but with a different IP address, 207.226.46.xxx.\r\nWe noticed that 207.226.46.xxx was also associated with every other GUID in rec.dat. We determined that this IP\r\naddress is associated with a satellite connection.\r\nOver a period of more than a year, we downloaded and analyzed this file at regular intervals, obtaining a total of\r\n388 rec.dat samples from each of time-local[.]com and time-local[.]net (we also began pulling samples of rec.dat\r\nfrom new servers we detected in scanning). Our rec.dat files from time-local[.]com contain more than 32 million\r\nentries (more than 28 million entries are operator interactions and approximately 4 million are victim interactions).\r\nIn all of our rec.dat samples from time-local[.]com and time-local[.]net, we noted that entries in the logfile for all\r\nGUIDs with types 2, 21, and 33 only ever involved the IP address 207.226.46.xxx (except for a brief period of\r\nthree hours on a single day, where we saw the activity “fail over” between 207.226.46.xxx and two other IP\r\naddresses, one VPN address, and one address in Ethiopia). Thus, we suspect that types 2, 21, and 33 represent\r\ninteraction by the operator. We suspect that types 17 and 37 correspond to interactions by infected devices.\r\nIP Provider\r\n207.226.46.xxx Satellite Connection\r\n197.156.86.xxx Ethio Telecom\r\n192.186.133.xxx CyberGhost VPN\r\nTable 6\r\nIP addresses that the Ethiopian operator connected from.\r\nThat the attacker’s activity “failed over” between their satellite IP and an Ethio Telecom address suggests that the\r\noperator is inside Ethiopia.\r\n5.2.2. Thirteen Servers Show a Cyberbit Nexus\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 14 of 33\n\nOur scanning found 15 PSS C\u0026C servers in all. Of those, two were the Ethiopia servers. Of the remaining 13 we\r\nfound, we suspect all are operated by Cyberbit, perhaps as demonstration or development servers. Ten of the\r\nservers’ logfiles included the IP address 37.142.120.xxx, which is pointed to by a subdomain of cyberbit[.]net.\r\nTwo other servers’ logfiles included the IP address 64.251.13.xxx, which also appeared in the logfile of one of the\r\nseven servers, as an operator of infections connecting back from 37.142.13.xxx, an IP address pointed to by a\r\nsubdomain of cyberbit[.]net.\r\nOne of the servers, pupki[.]co, was unavailable when we tried to fetch rec.dat. The domain name was registered to\r\na “Yevgeniy Gavrikov”. An individual by this name currently works as an “integration specialist” for Cyberbit,\r\naccording to LinkedIn.\r\n6. Other PSS Activity\r\n6.1. Scanning for More C\u0026C Servers\r\nWe fingerprinted the command and control (C\u0026C) servers used by the spyware, time-local[.]com and time-local[.]net, based on the fact that they typically returned the following distinctive message upon a normal GET /\r\nHTTP/1.1 request:\r\nPHP Configuration Error. Can not fetch xml request string\r\nOver the course of our scanning, we found a total of 15 IP addresses matching this same fingerprint.\r\nC\u0026C IP Address Domain Name3\r\n51.15.48.xxx  \r\n80.82.64.32 time-local[.]com\r\n80.82.67.xxx  \r\n80.82.79.44 time-local[.]net\r\n89.248.170.xxx  \r\n93.174.89.xxx  \r\n93.174.91.xxx  \r\n93.174.91.xxx  \r\n94.102.53.xxx  \r\n94.102.60.xxx  \r\n94.102.63.xxx  \r\n104.236.23.3 pupki[.]co\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 15 of 33\n\nC\u0026C IP Address Domain Name3\r\n111.90.147.xxx  \r\n185.125.230.xxx  \r\n185.125.230.xxx  \r\nTable 7\r\nPSS C\u0026C servers we found in IPv4 scanning.\r\n6.2. Demonstration Websites\r\nBy examining sites on the same IP address as eastafro[.]net, we found two additional sites: one site impersonating\r\nDownload.com and one website impersonating the homepage of Avira Antivirus. These sites contained versions of\r\nseveral apps bundled with PSS, including Avira Antivirus, Ventrilo, Avast AntiVirus, and CCleaner. The versions\r\nof PSS we found talked to C\u0026C servers in the list above that we identified as Cyberbit-run servers.\r\n6.3. Public Logfile Analysis of Other Servers\r\nIn addition to the Ethiopia servers (Section 5.2), we analyzed the logfiles of 12 of the 13 other servers. We were\r\nable to identify what we believe are several product demonstrations to various clients around the world. Most of\r\nthe demonstrations show similar patterns: activity during business hours from IP addresses that appear to belong\r\nto potential clients and activity off-hours at IP addresses that appear to belong to hotels. In a few cases, the activity\r\nis preceded or followed by activity from what appears to be airport Wi-Fi access points.\r\nIn our analysis here, we introduce a notion of a period of activity to try and abstract away gaps between logfile\r\nentries that may be uninteresting. We say that a spyware infection is active between two logfile entries (we only\r\ninclude activity from the infected device here, i.e., types 17 and 37) if there is no more than an hour in between the\r\nentries. We omit periods of activity that are less than one minute from our consideration (except if they provide\r\nevidence that the infected device has moved). In each country case we present here, we are listing all the activity\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 16 of 33\n\nwe found across the nine Cyberbit-operated C\u0026C servers (perhaps excluding periods of activity less than a\r\nminute).\r\n6.3.1. Timeline of Suspected Demonstrations\r\n3/2016: Thailand (2 days). We found infections in Thailand from the IP 202.29.97.X, in AS4621, which appears\r\nto be an ASN used by various Thai universities. Tracerouting to 202.29.97.X yields the hop (royal-thai-army-to-902-1-5-gi-09-cr-pyt.uni.net.th). The IPs 202.29.97.(X-3) and 202.29.97.(X-1) return a TLS certificate whose CN\r\nis a subdomain of signalschool[.]net, which is registered to the Royal Thai Army’s Signal School. We did note that\r\n202.29.97.X also appears to be a VPN. Nevertheless, it seems that the IP is under the control of the Royal Thai\r\nArmy. We also observed each infection changing between several IPs that appear to belong to various mobile data\r\nproviders.\r\nThe table below lists periods of activity for each infection; the first column (#) indicates the number of the\r\ninfection; the second and third columns provide the minimum and maximum date and time of the period of\r\nactivity (in the country’s local time, accounting for DST); the fourth column provides the duration of the period of\r\nactivity (H:MM:SS); and the fifth column lists the location where the activity took place (or the likely identity of\r\nthe agency receiving the demonstration).\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 09:22:17 Day 1 10:07:05 0:44:48 Royal Thai Army\r\n2 Day 1 14:52:10 Day 1 15:38:13 0:46:03 Royal Thai Army\r\n3 Day 2 14:45:51 Day 2 17:01:11 2:15:20 Royal Thai Army\r\nTable 8\r\nMarch 2016 suspected demo to Royal Thai Army.\r\n3/2016: Uzbekistan (3 days). We found four infections in Uzbekistan. The first two were from an IP address\r\npointed to by a subdomain of rdhotel[.]uz, which is registered by an individual who is listed on LinkedIn as the\r\nmanager of the Radisson Blu in Tashkent. The latter two were from an IP address linked to Uzbekistan’s National\r\nSecurity Service by the leaked Hacking Team emails.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 23:26:52 Day 2 00:10:00 0:43:08 Radisson Blu Tashkent\r\n2 Day 2 08:46:20 Day 2 09:06:36 0:20:16 Radisson Blu Tashkent\r\n3 Day 2 15:40:02 Day 2 15:45:52 0:05:50 National Security Service\r\n3 Day 2 17:16:32 Day 2 18:24:42 1:08:10 National Security Service\r\n4 Day 3 12:09:17 Day 3 12:41:35 0:32:18 National Security Service\r\n4 Day 3 14:27:04 Day 3 14:53:39 0:26:35 National Security Service\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 17 of 33\n\nTable 9\r\nMarch 2016 suspected demo to Uzbekistan National Security Service.\r\n10/2016: France (1 day). We found two infections in France on the same day in October 2016.  The first appeared\r\nto be from an IP address associated with the airport Wi-Fi at Paris’s Charles De Gaulle (CDG) airport. The second\r\nwas from what appeared to be a landline IP address in Paris, which we could not attribute.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 11:19:15 Day 1 11:24:04 0:04:49 CDG Airport Wi-Fi\r\n2 Day 1 15:24:55 Day 1 16:08:03 0:43:08 86.245.198.xxx\r\nTable 10\r\nOctober 2016 suspected demo to unknown clients in France.\r\n11/2016: Vietnam (2 days). We found three infections in Vietnam. One was linked to an IP address that is\r\nnumerically adjacent to another IP address that returns a web interface for an “HP MSM760 Controller” that\r\ndisplays the following information:\r\nWe suspect that this activity is associated with the Hilton Garden Inn Hotel in Hanoi. The other activity appears to\r\nbe from mobile broadband IP addresses; the identity of the potential client is not indicated by the data.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 16:34:36 Day 1 18:52:09 2:17:33 Hilton Garden Inn Hanoi\r\n1 Day 1 18:52:48 Day 1 19:01:12 0:08:24 (Mobile Broadband)\r\n1 Day 1 19:35:50 Day 1 19:41:14 0:05:24 Hilton Garden Inn Hanoi\r\n2 Day 2 11:34:24 Day 2 12:12:26 0:38:02 (Mobile Broadband)\r\n3 Day 2 15:32:15 Day 2 17:13:41 1:41:26 (Mobile Broadband)\r\nTable 11\r\nNovember 2016 suspected demo to unknown clients in Vietnam.\r\n12/2016: Kazakhstan (1 day). We found an infection from an IP address registered (according to WHOIS\r\ninformation) to “Saad Hotel LLP” with an address matching the Marriott Hotel in Astana.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 14:20:07 Day 1 14:35:39 0:15:32 Marriott Hotel Astana\r\nTable 12\r\nDecember 2016 suspected demo to unknown clients in Kazakhstan.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 18 of 33\n\n12/2016: Zambia (2 days). Most of the activity was from mobile broadband IPs. However, the second infection\r\nwas from an IP pointed to by a subdomain of fic.gov[.]zm, the website for Zambia’s Financial Intelligence Centre.\r\n#\r\nActivity Start\r\n(Local)\r\nActivity End\r\n(Local)\r\nDuration Location\r\n1 Day 1 21:23:21 Day 1 21:57:52 0:34:31 (Mobile Broadband)\r\n1 Day 2 05:20:05 Day 2 05:43:38 0:23:33 (Mobile Broadband)\r\n2 Day 2 11:00:52 Day 2 11:29:37 0:28:45\r\nFinancial Intelligence\r\nCentre\r\nTable 13\r\nDecember 2016 suspected demo to Zambia Financial Intelligence Centre.\r\n1/2017: Rwanda (2 days). We could not attribute any of the IPs in Rwanda.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 17:10:48 Day 1 18:28:47 1:17:59 (Unknown Loc 1)\r\n1 Day 1 22:49:12 Day 1 23:27:30 0:38:18 (Unknown Loc 2)\r\n2 Day 1 23:30:16 Day 2 04:18:06 4:47:50 (Unknown Loc 2)\r\n3 Day 2 09:14:59 Day 2 09:27:34 0:12:35 (Unknown Loc 1)\r\n4 Day 2 09:54:15 Day 2 10:51:47 0:57:32 (Unknown Loc 1)\r\n5 Day 2 10:01:45 Day 2 12:54:13 2:52:28 (Unknown Loc 1)\r\nTable 14\r\nJanuary 2017 suspected demo to unknown clients in Rwanda.\r\n2/2017: Philippines (5 days). We found an infection in February 2017 at 116.50.244.15. The IPs 116.50.244.10,\r\n116.50.244.7, and 116.50.244.8 are pointed to by manila.newworldhotels.com or subdomains thereof.\r\n116.50.244.7 is a Cisco VPN login page, which lists the “Group” as “New_World_Makati.” We assume that the\r\nManila New World Makati Hotel is also the owner of 116.50.244.15.\r\nThis was followed by an infection one day later at an IP address pointed to by a subdomain of\r\nmalacanang.gov[.]ph, which is the website of Malacañang Palace. The palace is the primary residence and offices\r\nof the Philippine President (Rodrigo Duterte as of the date of the demo).  The Malacañang Palace infection was\r\nfollowed by an infection from two other IP addresses in the Philippines.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 19 of 33\n\n#\r\nActivity Start\r\n(Local)\r\nActivity End\r\n(Local)\r\nDuration Location\r\n1 Day 1 18:40:13 Day 1 18:55:01 0:14:48\r\nNew World Makati Hotel\r\nManila\r\n2 Day 2 12:01:08 Day 2 12:25:50 0:24:42 Malacañang Palace\r\n3 Day 3 11:32:08 Day 3 11:53:13 0:21:05 112.198.102.xxx\r\n3 Day 5 21:52:32 Day 5 22:28:55 0:36:23 202.57.61.xxx\r\nTable 15\r\nFebruary 2017 suspected demo to Philippines Presidency.\r\n3/2017: Kazakhstan (1 day). We found an infection from an IP address pointed to by kazimpex[.]kz. According to\r\nan article on IntelligenceOnline, Kazimpex is said to be closely linked with the “National Security Committee of\r\nthe Republic of Kazakhstan” (KNB), an intelligence agency in Kazakhstan.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 11:29:55 Day 1 12:03:32 0:33:37 Kazimpex\r\nTable 16\r\nMarch 2017 suspected demo to Kazimpex in Kazakhstan.\r\n3/2017: Serbia (2 days). We found activity from Serbia on a single IP address registered to “NBGP Properties\r\nDoo,” which is the trading name of an apartment complex and business centre located adjacent to the Crowne\r\nPlaza in Belgrade. Both NBGP and the Crowne Plaza are owned by Delta Holding, a major Serbian company. It is\r\npossible that activity from the IP 79.101.39.101 includes activity from both NBGP and the Crowne Plaza.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 12:20:42 Day 1 12:55:11 0:34:29 Delta Holding Complex\r\n1 Day 2 00:15:30 Day 2 00:33:06 0:17:36 Delta Holding Complex\r\n2 Day 2 00:51:04 Day 2 01:15:15 0:24:11 Delta Holding Complex\r\n2 Day 2 06:58:53 Day 2 07:41:58 0:43:05 Delta Holding Complex\r\nTable 17\r\nMarch 2017 suspected demo to unknown clients in Serbia.\r\n3/2017: Nigeria (2 days). We found one infection in Nigeria from two IPs. We could not identify the IPs.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 16:38:52 Day 1 17:11:57 0:33:05 (Unknown Loc 1)\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 20 of 33\n\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 18:21:41 Day 1 19:13:24 0:51:43 (Unknown Loc 1)\r\n1 Day 2 10:26:20 Day 2 11:43:28 1:17:08 (Unknown Loc 2)\r\nTable 18\r\nMarch 2017 suspected demo to unknown clients in Nigeria.\r\n4/2017: Kazakhstan (1 day). We found an infection from the Marriott hotel in Astana, followed by an infection\r\nfrom an IP pointed to by a subdomain of mcmr[.]kz, the website of “Mobil Realty,” a commercial real estate\r\nmanagement company.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 12:26:04 Day 1 12:37:55 0:11:51 Marriott Hotel Astana\r\n2 Day 1 18:09:50 Day 1 18:21:54 0:12:04 Mobil Realty\r\nTable 19\r\nApril 2017 suspected demo to unknown clients in Kazakhstan.\r\n6/2017: ISS World Europe (2 days). We saw four infections between 6/14/2017 and 6/15/2017 from IP address\r\n82.142.85.165 in the Czech Republic. ISS World Europe 2017 was held in Prague, Czech Republic from\r\n6/13/2017 – 6/15/2017, and Cyberbit gave a presentation on 6/13/2017, according to the schedule. This same IP\r\naddress appears in the headers of leaked Hacking Team emails sent by two employees on 6/3/2015 and 6/4/2015.\r\nThese employees mentioned that they would be attending ISS World Europe on 6/3/2015, held at the same venue\r\nas the 2017 ISS World Europe. The IP address 82.142.85.165 may be associated with the Clarion Congress Hotel\r\nin Prague (the ISS World Europe venue).\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 2017-06-14 13:17:46 2017-06-14 13:52:04 0:34:18 ISS World Europe\r\n3 2017-06-14 16:45:04 2017-06-14 17:27:33 0:42:29 ISS World Europe\r\n3 2017-06-15 07:18:23 2017-06-15 07:19:38 0:01:15 ISS World Europe\r\n4 2017-06-15 08:17:18 2017-06-15 09:36:03 1:18:45 ISS World Europe\r\nTable 20\r\nJune 2017 suspected demo at ISS World Europe in Prague.\r\n6/2017: Zambia (2 days). Most of the activity was from mobile broadband IPs.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n1 Day 1 19:00:54 Day 1 19:38:34 0:37:40 (Mobile Broadband)\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 21 of 33\n\n# Activity Start (Local) Activity End (Local) Duration Location\r\n2 Day 2 09:44:48 Day 2 10:22:28 0:37:40 (Mobile Broadband)\r\n3 Day 2 14:36:18 Day 2 15:00:00 0:23:42 (Mobile Broadband)\r\n3 Day 2 21:59:59 Day 2 22:19:09 0:19:10 (Mobile Broadband)\r\nTable 21\r\nJune 2017 suspected demo to unknown clients in Zambia.\r\n#\r\nActivity Start\r\n(Local\r\nActivity End\r\n(Local)\r\nDuration Location\r\n2 Day 1 15:00:24 Day -1 17:32:38 2:32:14 (DSL IP in Israel)\r\n2 Day 1 22:41:32 Day 2 00:00:08 1:18:36\r\nNew World Makati Hotel\r\nManila\r\n2 Day 3 20:49:07 Day 3 21:07:51 0:18:44\r\nNew World Makati Hotel\r\nManila\r\n2 Day 4 10:30:03 Day 4 18:24:22 7:54:19 (Mobile Broadband)\r\n2 Day 5 10:32:42 Day 5 10:56:48 0:24:06 (Mobile Broadband)\r\n2 Day 5 13:04:42 Day 5 15:43:05 2:38:23 (Mobile Broadband)\r\n2 Day 6 15:56:27 Day 6 17:47:18 1:50:51\r\nNew World Makati Hotel\r\nManila\r\n2 Day 9 09:13:20 Day 9 18:56:35 9:43:15 Cyberbit\r\nTable 22\r\nEmployee #1 traveling from Israel to Manila; suspected demo to unknown clients.\r\n11/2017: Philippines (6 days). In November 2017, we observed what appeared to be two different Cyberbit\r\nemployees travelling together from Israel to the New World Makati Hotel in Manila.\r\nThe infections started out in Israel, one on 10/15/2017 and one on 11/2/2017. While in Israel, and during the\r\nworkweek (Sunday to Thursday), both infections connected from what appears to be Cyberbit’s office\r\n(37.142.13.xxx, pointed to by two subdomains of cyberbit[.]net) during business hours (roughly 09:00 – 18:00\r\nlocal time). After hours, the infections connected back from what we believe are home IP addresses of the\r\nemployees. Each infection connected back from different home IPs during overlapping periods, which leads us to\r\nbelieve that the two infections represent different Cyberbit employees. It appears that each employee was carrying\r\nan infected laptop between home and the office each day (perhaps for spyware development and testing purposes).\r\nAfter they last connected from Israel, one infection connected 15 hours later from Hong Kong for six minutes,\r\nbetween 14:52 and 14:58 local time. The infections then connected from the Philippines (116.50.244.xxx) as early\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 22 of 33\n\nas 22:41 local time, suggesting a flight itinerary from Tel Aviv to Manila, by way of Hong Kong.\r\n#\r\nActivity Start\r\n(Local)\r\nActivity End\r\n(Local)\r\nDuration Location\r\n#\r\nActivity Start\r\n(Local)\r\nActivity End\r\n(Local)\r\nDuration Location\r\n1 Day 1 15:46:24 Day -1 15:46:24 0:00:00 (DSL IP in Israel)\r\n1 Day 1 14:52:15 Day 1 14:58:04 0:05:49 (Hong Kong)\r\n1 Day 1 23:00:03 Day 1 23:56:11 0:56:08\r\nNew World Makati Hotel\r\nManila\r\n1 Day 3 20:19:20 Day 3 21:01:09 0:41:49\r\nNew World Makati Hotel\r\nManila\r\n1 Day 4 14:42:43 Day 4 14:44:39 0:01:56 (Mobile Broadband)\r\n1 Day 4 16:14:21 Day 4 18:31:40 2:17:19 (Mobile Broadband)\r\n1 Day 4 20:54:47 Day 5 08:00:09 11:05:22\r\nNew World Makati Hotel\r\nManila\r\n1 Day 9 09:05:14 Day 9 12:59:54 3:54:40 Cyberbit\r\nTable 23\r\nEmployee #2 traveling from Israel to Manila; suspected demo to unknown clients.\r\n11/2017: Milipol Paris (4 days): From 11/21/2017 – 11/24/2017, we found an infection active from an IP address\r\n185.113.160.20, which appears to be associated with the Paris Nord Villepinte exhibition center. The IP is pointed\r\nto by several subdomains of villepinte2017.dynu[.]net and also by pnv.vipnetwork[.]fr. The Milipol Paris 2017\r\nexhibition was held between 11/21 and 11/24 and the Paris Nord Villepinte exhibition center. Thus, it appears that\r\nCyberbit employees were performing demos there.\r\n# Activity Start (Local) Activity End (Local) Duration Location\r\n3 Day 1 08:15:24 Day 1 09:18:21 1:02:57 Milipol Paris\r\n3 Day 1 10:44:02 Day 1 13:21:09 2:37:07 Milipol Paris\r\n3 Day 1 14:50:25 Day 1 15:32:46 0:42:21 Milipol Paris\r\n3 Day 2 08:29:27 Day 2 17:01:11 8:31:44 Milipol Paris\r\n3 Day 3 08:10:28 Day 3 09:34:09 1:23:41 Milipol Paris\r\n3 Day 3 13:02:05 Day 3 14:59:37 1:57:32 Milipol Paris\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 23 of 33\n\n# Activity Start (Local) Activity End (Local) Duration Location\r\n3 Day 3 15:43:03 Day 3 17:02:29 1:19:26 Milipol Paris\r\n3 Day 4 08:31:07 Day 4 10:43:35 2:12:28 Milipol Paris\r\nTable 24\r\nNovember 2017 suspected demo at Milipol Paris.\r\n6.3.2. Suspected Researcher Activity\r\nWe found several short-lived infections on Cyberbit-operated servers that seem less likely to be purposeful\r\ninfections and more consistent with activity by cybersecurity researchers or other testing activity. We group\r\nactivity that is temporally similar below, though it is unclear if this activity is related.\r\nWe found one infection in the UK on 11/10/2016 lasting ~15s.\r\nWe found one infection from Google on 2/7/2017 (lasting 11m), followed by three infections in Germany on\r\n2/7/2017 and 2/8/2017. In Germany, there was one initial infection 14 minutes after the Google infection, with a\r\nsingle pingback. 2h10m later, there was an infection lasting 1 minute. 13h later, there was an infection with a\r\nsingle pingback.\r\nWe found an infection with a single pingback from an IP address in Everett, Washington, USA on 10/17/2017.\r\nWe found two overlapping infections in Russia on 10/18/2017 (~2m each), followed 20 minutes later by two\r\ninfections in China, 45 minutes apart (~30s each). We found a ~20s infection in Canada on 10/19/2017.\r\nWe found an infection with a single pingback from an IP address registered to Brandon University in Canada on\r\n10/31/2017. We found two infections in Norway on 11/1/2017 (one infection with a single pingback, and one\r\ninfection 3m30s later lasting for ~20s).\r\n6.3.3. Unexplained Activity\r\nWe found several infections on the Cyberbit-operated PSS C\u0026C servers that were long-running, and not from\r\nVPN connections or from countries where Cyberbit has a known presence. Thus, this activity did not immediately\r\nseem to represent demonstrations or development activity. We found one infection in Iran between 9/20/2016 and\r\n11/22/2016. We found one infection in Canada between 3/7/2017 and 11/22/2017. We found one infection in\r\nFinland between 5/26/2017 and 11/28/2017. We found one infection in Indonesia from 10/28/2017 to\r\n11/10/2017. We found one infection in Slovakia from a single IP address active between 11/1/2017 and\r\n12/1/2017. We found one infection in Ethiopia from 10/25/2017 to 12/1/2017, with no known overlap with the\r\nEthiopia client’s IP address space.\r\n6.4. Spoofed Code Signing Certificates?\r\nWe identified several cases where we suspect that the spyware operators, or Cyberbit themselves, obtained digital\r\ncertificates in the names of real companies, including an Israeli intellectual property law firm.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 24 of 33\n\nOne malicious Adobe Flash executable we found used by the Ethiopian operator was signed by an authenticode\r\ncertificate issued by Comodo to a named entity called “Flashpoint IP.”\r\nCN = Flashpoint IP\r\nO = Flashpoint IP\r\nSTREET = 2nd Raban Gamliel\r\nL = Elad\r\nS = Israel\r\nPostalCode = 40800\r\nC = IL\r\nRFC822 Name=ben.wiseman@flashpoint-ip.com\r\nWe found a company called “Flash Point IP,” with the same street address as in the digital certificate, included the\r\nPatent Attorneys Ledger published by Israel’s Ministry of Justice. The website listed by the Ministry of Justice for\r\nthe firm is flashpointip.com. However, the website in the certificate’s RFC822 name appears to be a lookalike\r\ndomain that is subtly different: flashpoint-ip[.]com.\r\nWe examined the WHOIS registration of the lookalike domain flashpoint-ip[.]com:\r\nRegistrant Name: BEN WISEMAN\r\nRegistrant Organization: FLASHPOINT IP LTD\r\nRegistrant Street: RABAN GAMLIEL 2\r\nRegistrant City: ELAD\r\nRegistrant State/Province: SHOMRON\r\nRegistrant Postal Code: 40800\r\nRegistrant Country: IL\r\nRegistrant Phone: +972.525649427\r\nRegistrant Email: BENWISEMAN99@GMAIL.COM\r\nThe firm’s website, flashpointip.com, has a New York registration address, a different registrant name, and a\r\n@bezeqint.net contact address.\r\nWe found one additional domain, cd-media4u[.]com, registered with the same phone number as flashpoint-ip[.]com. The WHOIS information is:\r\nRegistrant Name: DAN WISEMAN\r\nRegistrant Organization: C. D. MEDIA LTD\r\nRegistrant Street: BEN YEHUDA 60\r\nRegistrant City: TEL AVIV\r\nRegistrant State/Province: TEL AVIV\r\nRegistrant Postal Code: 6343107\r\nRegistrant Country: IL\r\nRegistrant Phone: +972.525649427\r\nRegistrant Email: DANWISEMAN99@GMAIL.COM\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 25 of 33\n\nNote the similar names Dan Wiseman and Ben Wiseman and the similar email addresses\r\ndanwiseman99@gmail.com and benwiseman99@gmail.com. We found one reference to “CD Media Ltd”\r\nwhich appears to be an Israeli software publisher (http://www.cd-media.co.il/).\r\nGiven that we found two instances where the same entity (WHOIS phone number +972.525649427) registered\r\nwhat appear to be lookalike domains for two different Israeli companies, it is possible that these certificates may\r\nhave been improperly obtained. This is not the first instance in which improperly obtained digital certificates may\r\nhave been used with commercial spyware. Hacking Team appears to have obtained several digital certificatesin\r\nthe names of people whose passport photos appeared on a now-defunct site, thewhistleblowers[.]org.\r\n4\r\n[January 12, 2018 update: Following publication of this report, FlashPoint IP Ltd. (FPIP) confirmed in a letter to\r\nthe Citizen Lab that “the referenced digital certificate…was not obtained by FPIP, and upon information and belief\r\nwas obtained unlawfully… The alleged misuse of the FPIP name and address is absolutely illegal and without\r\nFPIP’s knowledge, and certainly was never approved by any authorized representative.” Additionally, FPIP noted\r\nthat it sent a cease and desist letter to Cyberbit, which responded “with a general denial of any wrongdoing or\r\nunlawful activity on their part, and rejecting the assertions raised in the FPIP letter. Nonetheless, their letter\r\nmentioned (without any admission/consent or prejudice to their rights) that Cyberbit shall take steps to ensure that\r\nits products do not use the FPIP name or address or any certificate bearing the FPIP name.”]\r\nWe identified two further digital certificates used by the operators, in the names of “Etefaq Consulting Ltd,” and\r\n“Emerging European Capital.” These certificates were on samples we downloaded from getadobeplayer[.]com, as\r\nwell as samples from the Avira Antivirus and Download.com impersonation websites (Section 6.2). Unfortunately,\r\nthe signatures did not contain the RFC822 Name field, so we do not have any indications as to their legitimacy.\r\nCN = Emerging European Capital\r\nO = Emerging European Capital\r\nSTREET = Svaetoplukova 12\r\nL = Bojnice\r\nS = Slovakia\r\nPostalCode = 97201\r\nC = SK\r\nWe found what appears to be the website of “Emerging European Capital” (http://ee-cap.com), which is described\r\nas a company offering “Private Banking services to High Net Worth Individuals in Central and Eastern Europe.”\r\nThe address in the digital certificate matches an address listed on the website. The individual mentioned on the\r\nwebsite, Martin Masar, appears to be a real individual, and is listed as serving on the Supervisory Board of\r\nPetrocommerce Ukraine Bank. However, without more information, we cannot know whether the digital\r\ncertificate is legitimate or not.\r\nCN = ETEFAQ CONSULTING LIMITED\r\nO = ETEFAQ CONSULTING LIMITED\r\nSTREET = 1 MYKONOS STREET\r\nL = NICOSIA\r\nS = NICOSIA\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 26 of 33\n\nPostalCode = 1045\r\nC = CY\r\nWe found an “ETEFAQ CONSULTING LIMITED” in the Cyprus corporate registry (# ΗΕ 329071). However,\r\nthe registered address did not match the address in the digital certificate. The company’s line of business is\r\nunclear, and it appears to maintain a simple (hacked) website with a “Contact Us” form\r\n(http://etefaqconsulting.com/).\r\n7. Technical Analysis of the Spyware\r\nAltogether, we analyzed nine samples. This includes the sample from VirusTotal signed by the “C4 Security”\r\ncertificate (Section 5.1), as well as five samples gathered from getadobeplayer[.]com, and three samples\r\ngathered from the Avira Antivirus and Download.com impersonation websites (Section 6.2).\r\nBased on strings found during our analysis of configuration files used by the spyware, these samples cover\r\nversions of PSS ranging from v4.3.3 to 6.1.0. Major version changes contain changes to obfuscation techniques,\r\noverall structure, and general functionality, while minor version changes seem to contain smaller, less noticeable\r\nchanges. The following analysis covers the general behavior and characteristics of PSS, with version-specific\r\ndifferences noted where appropriate.\r\nMD5 Source\r\nPSS\r\nVersion\r\n376f28fb0aa650d6220a9d722cdb108d VirusTotal 4.3.3\r\n568d8c43815fa9608974071c49d68232 getadobeplayer[.]com 5.7.5\r\n80b7121c4ecac1c321ca2e3f507104c2 getadobeplayer[.]com 5.1.0\r\n8d6ce1a256acf608d82db6539bf73ae7 getadobeplayer[.]com 5.9.7\r\n840c4299f9cd5d4df46ee708c2c8247c getadobeplayer[.]com 6.0.0\r\n961730964fd76c93603fb8f0d445c6f2 getadobeplayer[.]com 6.0.0\r\n0488cf9c58f895076311bf8e2d93bf63\r\nAvira Antivirus Impersonation\r\nWebsite\r\n6.0.0\r\nca782d91daea6d67dfc49d6e7baf39b0\r\nDownload.com Impersonation\r\nWebsite\r\n6.0.0\r\nf483fe294b4c3af1e3c8163200d60aae\r\nDownload.com Impersonation\r\nWebsite\r\n6.1.0\r\nTable 25\r\nVersions of PSS we analyzed\r\n7.1. Overview\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 27 of 33\n\nOverall, the samples we analyzed are made up of four main components: the Agent, LnkProxy, Payload DLL,\r\nand Pipeserver. The Agent is the main program responsible for providing operators remote access to an infected\r\nmachine and carries out most activity after infection. If the Agent is not installed with administrator privileges,\r\nthen the LnkProxy facilitates the replacement of shortcut (lnk) and executable (exe) files with malicious versions\r\nthat will try to trick the user into granting administrator privileges to the Agent. The Payload DLL is a small DLL\r\nfile that is used to infect certain whitelisted DLLs as a persistence mechanism, to ensure that the Agent is running.\r\nFinally, the Pipeserver is used to coordinate access to global handles and perform network communication.\r\nEach of these four components is packed and stored inside the initial spyware payload. The earliest version we\r\nanalyzed (4.3.3) stored these files as either plaintext or as zlib compressed data. Later versions added AES-256-\r\nCBC encryption and the use of different keys per dropped component for additional obfuscation (Section 7.3).\r\n7.2. Installation and Persistence\r\nOnce a victim executes one of the initial payloads (e.g., a fake Adobe Flash update), the spyware unpacks the\r\nAgent component (described in Section 7.4) and saves it to %TEMP%Profile. Then, the spyware checks to see if\r\nit is running with administrator privileges.  If so, then the spyware executes the dropped Agent; if not, then the\r\nspyware unpacks and installs the LnkProxy component (described in Section 7.5) in an attempt to trick the user\r\ninto giving it administrator privileges.\r\nOnce the dropped Agent has been executed with administrator privileges, either via the main installer or by\r\ntricking the user via the LnkProxy technique, the Agent unpacks its configuration file into memory. Next, the\r\nAgent checks to see if there is already a version of PSS installed on the victim’s system by checking for the\r\nexistence of the storage directory used by the spyware. Depending on the configuration of the current and previous\r\nAgents, the Agent may either replace the existing agent or attempt to upgrade the old version. If PSS is not already\r\ninstalled, then the Agent begins installation.\r\nThe Agent creates its main storage directory at %CommonAppData%Profile. Then, it writes its configuration file\r\ninto the storage directory, using a name defined in the configuration file (versions 4.x and 5.x use the filename\r\ndiskdrv.dll, while version 6.x uses igfxcls.cfg). The Agent then copies itself into the storage directory (versions 4.x\r\nand 5.x use the filename crisvc.exe for the agent, while version 6.x use the filename igfxcri.exe) while deleting the\r\ndropped copy from %TEMP%Profile.\r\nNext, the Agent unpacks and drops 32- and 64-bit versions of the PipeServer component into the storage directory.\r\nThese files are named mssvt.dll and mssvt64.dll across all versions of PSS that we have analyzed.\r\nAfter it has created the necessary files, the spyware sets up its persistence mechanism by infecting copies of\r\ncertain DLLs on the system with the Payload DLL (which is not saved to disk as a standalone file). The infected\r\ncopies are placed in the same folder as the executable that will load them, ensuring that the infected DLLs are\r\nloaded instead of their legitimate counterparts that may be in other folders (Windows will search the folder\r\ncontaining the application first). The DLLs we saw chosen for infection are related to common web browsers\r\nincluding Chrome, Firefox, and Internet Explorer. Since web browsers are some of the most commonly used\r\napplications on computers, these DLLs are a good choice to ensure that the spyware is running most of the time\r\nthat the target device is being used.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 28 of 33\n\nFinally, the spyware initializes the appropriate PipeServer component by creating a new Desktop, referred to as a\r\n“HiddenDesktop” by the spyware and launching one or more of the EXEs whose DLLs have been replaced with\r\ninfected versions on this new desktop. When an infected DLL is loaded (Section 5.6), it launches the PipeServer if\r\nnot already running; the PipeServer in turn launches the Agent if not already running. The Agent then enters into\r\nits main command handling loop.\r\n7.3. Obfuscation\r\nThe first version of the spyware we analyzed (4.3.3) stored most components as either plaintext data or as zlib\r\ncompressed binary data. Version 5.x of PSS introduced the additional use of AES-256-CBC encryption for the\r\ncomponents. Components obfuscated in this manner contain a short header struct followed by the AES-256-CBC\r\nencrypted, zlib compressed data:\r\nstruct HEADER {\r\n   char[6]: magic_number\r\n   uint32:  iv\r\n   uint32:  checksum\r\n   uint32:  length\r\n}\r\nIn this header struct, magic_number is the magic_number for a 7z file [0x37, 0x7a, 0xbc, 0xaf, 0x27, 0x1c], iv is\r\nthe first 4 bytes of the initialization vector used in the AES cipher, checksum is a CRC32 checksum of the data,\r\nand length is the length of the encrypted data. The initialization vector is padded with null bytes to the correct\r\nlength for the AES-256-CBC cipher. Version 6.x added an additional data format for AES-256-CBC encrypted\r\ndata that removes the magic_number. For all versions, the AES key is hardcoded in the executable performing the\r\ndecryption. Beginning with version 6.x, the spyware additionally began to obfuscate strings, deobfuscating them\r\nonly when needed.\r\nVersion 4.x drops all of its various components directly to disk in an unpacked form when installed. Starting with\r\nversion 5.x, the spyware began to drop intermediate loader executables instead of final components. These loader\r\nexecutables store a component, often the Agent, in the same AES-256-CBC encrypted, zlib compressed format as\r\nabove. When executed, these loaders mimic the Windows executable loader by unpacking their stored payload,\r\nmapping the unpacked PE file’s sections into memory, and resolving any imports before jumping to the PE’s\r\nentrypoint. This technique of storing the unpacked component only in memory is likely an attempt to evade static,\r\nfile-based analysis and detection techniques.\r\nWithin the Agent component, the configuration file is an SQLite database obfuscated using bzip compression,\r\nfollowed by XOR encryption using both the current and previous bytes, along with one byte from the key. This\r\nobfuscation format, and an unusual 36-byte XOR key, the string DC615DA9-94B5-4477-9C33-3A393BC9E63F,\r\nare shared across all the samples we analyzed.\r\n7.4. The Agent\r\nThe Agent is the central component of the spyware and is responsible for carrying out most of the behavior of\r\nPSS. The Agent is a feature-rich spyware capable of a wide range of behaviors. Across all samples we analyzed,\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 29 of 33\n\nwe have seen the following capabilities:\r\nAudio/Video recording including scheduling recordings for a later time\r\nReading browser history and stored passwords\r\nFilesystem operations including creating, deleting, moving, renaming, uploading, and downloading files\r\nEditing/Querying registry keys\r\nGeolocation based on available wifi networks\r\nAccessing Skype databases, call logs, and contacts\r\nListing network connections and devices\r\nStarting/Stopping processes\r\nTaking screenshots\r\nKeylogging\r\nAccessing clipboard data\r\nAccessing recently used file list\r\n7.5. LnkProxy\r\nThe LnkProxy component is only used when the spyware is initially installed without Administrator privileges. In\r\nthis scenario, the spyware searches through the Windows Desktop, Start Menu, and Quick Launch folders looking\r\nfor lnk and exe files. Any files it finds are replaced with malicious copies designed to request administrator\r\nprivileges, launch the legitimate application, and then launch the spyware. This process is designed to trick the\r\nuser into giving PSS administrator privileges.\r\nThe LnkProxy makes a backup of all replaced files, which are restored upon spyware uninstallation or when the\r\nuser unwittingly grants the spyware administrator privileges.\r\n7.6. Payload DLL\r\nThe Payload component of the spyware is a short DLL that is used to infect whitelisted DLLs on the victim’s\r\nsystem as a persistence mechanism. During installation, the spyware searches the victim’s computer for targeted\r\nDLLs and for each that it finds it appends the Payload component to the targeted DLL’s .text section. The\r\nentrypoint of the DLL is then changed to point to this appended code and the infected file is copied to the same\r\ndirectory as the application that uses the DLL. This ensures that the infected DLL is loaded by the application\r\ninstead of the original, uninfected version. Figure 11 shows an example of a modified binary infected with the\r\nPayload component.\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 30 of 33\n\nThe infected DLL starts by checking to ensure that the infected DLL is being loaded by the target program only. It\r\ndoes this by calling the original entrypoint for the infected DLL to get the ImagePathName field of the\r\nProcessParameters struct in the Process Environment Block (PEB). The ImagePathName contains the path of the\r\ncurrently running executable. This is then compared to a hardcoded checksum value stored in the DLL as part of\r\nthe infection process.\r\nIf this check succeeds, the Payload then performs its functions. It first checks to see if the PipeServer is currently\r\nloaded. It does this by decrypting an XOR-encrypted string in the DLL containing the location of the PipeServer\r\ncomponent, calculating a checksum of this string, and then walking the InMemoryOrder list of loaded modules,\r\nchecksumming the ImagePathName of each and comparing it to the checksum of the PipeServer’s path. If the\r\nPipeServer is not currently loaded, the infected DLL loads the PipeServer component and transfers execution to it.\r\n7.7. PipeServer\r\nThe PipeServer component starts by unpacking and loading a small configuration file. This is a small file\r\ncontaining ASCII strings separated by x00’s that define various config options used by the PipeServer. In version\r\n6.x, this file is zlib compressed and encrypted using AES-256-CBC. After loading the configuration file, the\r\nPipeServer creates a series of threads, global events, and mutexes that are used to synchronize actions between\r\ncomponents of the spyware, log messages, and communicate with the command and control server. Next, the\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 31 of 33\n\nPipeServer creates a named pipe for communication with running Agent components. Finally, the PipeServer\r\nstarts an instance of the Agent if one is not already active before entering a main command handling loop. The\r\nspyware uses a XML-based networking protocol for command and control communication. Each request and\r\nresponse is sent as a “transaction.” An example of the XML format used is given below.\r\n\u003c?xml version=”1.0″\u003e\r\n\u003ctransaction\r\n   type=”fromagent”\r\n   agentid=”\u003cID\u003e”\r\n   sn=”\u003cNUM\u003e”\r\n   crc=”\u003cCRC\u003e”\r\n   encoding=”base64″\r\n   encryption=”aes-256″\r\n   compression=”\u003czip|none\u003e”\u003e\r\n       \u003cDATA\u003e\r\n\u003c/transaction\u003e\r\nDATA is the information to be communicated and is compressed, encrypted, and encoded as described in the\r\nresponse attributes. The AES key used can be either a master key included in the Agent’s configuration or an\r\nindividual private key created after the malware has been installed and initialized. The master key is hard-coded\r\nand is the same across all samples we analyzed.\r\n8. Conclusion\r\nWe have uncovered the use of PC Surveillance System (PSS) spyware by what appears to be agencies of the\r\nEthiopian government to target dozens of individuals. Our investigation shows these targets include an Oromo\r\nmedia outlet based in the United States, OMN, a PhD student, and a lawyer who have worked on Oromo issues, as\r\nwell as a Citizen Lab Research Fellow, Bill Marczak. Our analysis also indicates apparent demonstrations of the\r\nspyware in several other countries where leaders have exhibited authoritarian tendencies, and/or where there are\r\npolitical corruption and accountability challenges, such as Nigeria, Philippines, Rwanda, Uzbekistan, and Zambia.\r\nThe habitual misuse of spyware by the Ethiopian government against civil society targets is testament to the lack\r\nof repercussions for such behavior by states and complicity within the commercial spyware industry that supplies\r\nthem. Evidence indicating the Ethiopian government’s misuse of spyware (including Hacking Team’s RCS and\r\nGamma Group’s FinSpy) against journalists, activists, and others has been laid out in prior research over multiple\r\nyears, as well as in a lawsuit filed in US federal court. In a portentous ruling, that suit was dismissed on grounds\r\nthat a tort is not committed entirely in the US — a showing of which was required to obtain jurisdiction over a\r\nforeign sovereign — when a government’s digital espionage is conceived of and operated from overseas, despite\r\nthe fact that the infection occurs and harm is experienced within the US. The digital nature of the tort essentially\r\nallowed a foreign government to violate US laws with impunity. Unsurprisingly, as this report makes clear, the\r\nextraterritorial targeting continues, as do spyware sales to Ethiopia.\r\nThis report also uncovers another player in the nation-state spyware business: Cyberbit, the company that provides\r\nPSS. As a provider of powerful surveillance technology, Cyberbit has the responsibility under both Israel’s export\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 32 of 33\n\ncontrol regime as well as the UN Guiding Principles on Business and Human Rights to concern itself with the\r\npotential for human rights abuses facilitated through use of its product. The fact that PSS wound up in the hands\r\nof Ethiopian government agencies, which for many years have demonstrably misused spyware to target civil\r\nsociety, raises urgent questions around Cyberbit’s corporate social responsibility and due diligence efforts, and the\r\neffectiveness of Israel’s export controls in preventing human rights abuses. The apparent locations of PSS\r\ndemonstrations reinforce those concerns. Moreover, the manner in which the PSS spyware operates suggests that,\r\nto achieve infection, the spyware preys on user trust in legitimate third-party companies and software, such as\r\nAdobe Systems, or the code-signing certificate verification process. These techniques undermine security in the\r\nlarger digital ecosystem and contravene terms of service as well as clear legal standards that exist in many\r\njurisdictions to prevent appropriation of intellectual property. If spyware companies themselves incorporate such\r\ntechniques in order to build a successful product, action is necessary to address the negative externalities that\r\nresult. We have sent a letter to Cyberbit regarding these issues and received a response.  \r\nAs we explore in a separate analysis, while lawful access and intercept tools have legitimate uses, the significant\r\ninsecurities and illegitimate targeting we have documented that arise from their abuse cannot be ignored. In the\r\nabsence of stronger norms and incentives to induce state restraint, as well as more robust regulation of spyware\r\ncompanies, we expect that authoritarian and other politically corrupt leaders will continue to obtain and use\r\nspyware to covertly surveil and invisibly sabotage the individuals and institutions that hold them to account.\r\n9. Acknowledgements\r\nThis work was supported in part by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley. Thanks also\r\nto Erik Zouave, Masashi Crete-Nishihata, Lex Gill, Etienne Maynier, Adam Senft, Miles Kenyon, Jawar\r\nMohammed, Etana Habte, Henok Gabisa, and Felix Horne and Cynthia Wong from Human Rights Watch.\r\nFootnotes\r\n1. We found these materials in a Google search. The materials are hosted in an Amazon S3 bucket whose\r\nname is cyberbit. Inspecting the source code of Cyberbit’s website\r\n(https://web.archive.org/web/20170930094240/https://www.cyberbit.com/) yields several references to the\r\nsame S3 bucket.  Thus, we assume Cyberbit controls the S3 bucket named cyberbit and that the marketing\r\nmaterials are Cyberbit originals.\r\n2. In January 2016, Cyberbit attempted to convince the WIPO Arbitration and Mediation Center to transfer\r\nthe domain to it from Cyberbit A/S, but the panel refused and declared that Cyberbit had engaged in\r\nreverse domain name hijacking by bringing its complaint in bad faith. However, Cyberbit apparently\r\npurchased the domain in March 2017, judging by WHOIS records.\r\n3. We redact the domain names of non-Ethiopia servers that are still online.\r\n4. e.g., https://web.archive.org/web/20150710202350/http://www.thewhistleblowers.org:80/?cat=3874\r\nSource: https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nhttps://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/\r\nPage 33 of 33",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://citizenlab.ca/2017/12/champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware/"
	],
	"report_names": [
		"champing-cyberbit-ethiopian-dissidents-targeted-commercial-spyware"
	],
	"threat_actors": [
		{
			"id": "a3687241-9876-477b-aa13-a7c368ffda58",
			"created_at": "2022-10-25T16:07:24.496902Z",
			"updated_at": "2026-04-10T02:00:05.010744Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "ETDA:Hacking Team",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "e90c06e4-e3e0-4f46-a3b5-17b84b31da62",
			"created_at": "2023-01-06T13:46:39.018236Z",
			"updated_at": "2026-04-10T02:00:03.183123Z",
			"deleted_at": null,
			"main_name": "Hacking Team",
			"aliases": [],
			"source_name": "MISPGALAXY:Hacking Team",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775439160,
	"ts_updated_at": 1775791523,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d02d367c2bcc77b0b5f1ce5ee3206e0de7dbbff.pdf",
		"text": "https://archive.orkl.eu/9d02d367c2bcc77b0b5f1ce5ee3206e0de7dbbff.txt",
		"img": "https://archive.orkl.eu/9d02d367c2bcc77b0b5f1ce5ee3206e0de7dbbff.jpg"
	}
}